This is one of the consequences of the attack on the hardware manufacturer MSI last April: Private keys belonging to Intel’s Boot Guard security function were found in nature on the dark web. This is a security feature designed to prevent malicious firmware from loading. Result: Intel is actively investigating, reveals the website BleepingComputer, Monday, May 8th.
On April 7, hackers from the Money Message group attacked Taiwanese computer hardware maker Micro-Star International (MSI). They claimed to have stolen 1.5 TB of data including firmware, source codes and databases. They demanded a ransom of $4 million. And given MSI’s refusal to pay, stolen data was released last week, our colleagues report.
“The entire Intel ecosystem is affected by this MSI data leak”
Among them: the source code of the firmware used by MSI’s motherboards – but the latter contains Intel Boot Guard’s private keys for 116 MSI products, cybersecurity expert Alex Matrosov warns on his Twitter account.
See more
⛓️Recently, @msiUSA announced a major data breach. The data has now been released, revealing a variety of private keys that could affect numerous devices.
🔥FW Image Signing Keys: 57 products
🔥Intel BootGuard BPM/KM Keys: 166 products🔬https://t.co/uwqWIU9xhR
– Alex Matrosov (@matrosov) May 4, 2023
The specialist added that this leak could have caused Intel Boot Guard on MSI devices using the internal chips “11th Gen Tiger Lake, 12th Gen Adler Lake and 13th Gen Raptor Lake” to fail. was ineffective. When asked by our colleagues, Alex Matrosov pointed out that “the entire Intel ecosystem has been affected by this MSI data breach. This is a direct threat to MSI customers, and unfortunately not just them,” he warned.
Intel does not confirm that private keys are in the wild
The security function “Intel Boot Guard” would therefore be severely affected by the attack. According to Intel, “Researchers have claimed that private signing keys were included in the data (affected by the cyberattack, ed.), specifically MSI’s OEM signing keys for Intel Boot Guard.” The company only said it was actively investigating the issue, without confirming that the private keys were out in the wild. The company added that “Intel BootGuard OEM keys are generated by the system manufacturer, they are not Intel signing keys.”
Normally, Intel Boot Guard prevents the installation of malicious firmware. This type of software is loaded before the operating system, allowing it to operate undetected by security software and help install malware once a device has been compromised. Intel’s system typically verifies that the firmware in question is legitimate by using a private signing key and public key built into the Intel hardware. If the signature fails, the firmware is not loaded.
Also read: Cyber attacks: What does the EU’s envisaged “European Cyber Shield” consist of?
However, if these keys are in the wild, they could be used to sign malware disguised as MSI-related software. In other words, the security feature is no longer reliable on devices that would be known to use compromised keys. In a message to our colleagues at TechTarget, Alex Matrosov added that other hardware vendors and models are affected, namely HP’s t430 and t638 thin clients, Lenovo’s Ideacentre AIO 330-20IGM, 310s-08igm and a340-24igm models; Lenovo v330 and v130 laptops; CompuLab’s fitlet2 IoT gateway; and finally, Star Labs’ StarLite MkIII and MkIV ultrabooks.